differences between time machine and argus capturing payload

Mark Poepping poepping at cmu.edu
Fri Apr 19 14:34:57 EDT 2013 

IIRC,

Lots of people are trying out Time Machine with Bro this these days; mostly
I think because there's more people and effort aware of it versus argus.  It
seems to me a more modular approach, which some might also prefer, though I
don't think it's as powerful (not yet at least).  I'm pretty sure that argus
can adjust capture size based on protocol and might even adjust capture on a
per-flow pattern basis (beyond typical flow tuple) and interpret what you
need as the flow goes by instead of an arbitrary # of bytes regardless of
content.

Frankly, I don't think anyone could do it more efficiently than Carter
either, but that's my own personal bias.
Mark.


> -----Original Message-----
> From: argus-info-bounces+poepping=cmu.edu at lists.andrew.cmu.edu
> [mailto:argus-info-bounces+poepping=cmu.edu at lists.andrew.cmu.edu] On
> Behalf Of Harry Hoffman
> Sent: Friday, April 19, 2013 12:52 PM
> To: Argus
> Subject: [ARGUS] differences between time machine and argus capturing
> payload
> 
> Hi All,
> 
> So, I just got back from Educause SPC where the bro guys reminded me about
> time machine (I hadn't looked at it in a really long time).
> 
> I decided to go today and have a read over it and from the description I'm
not
> sure that I can find the differences between time machine and having argus
> store packet payload for a given N bytes.
> 
> >From the website:
> "Since it is not feasible to capture the complete load of a fully utilized
Gbps link
> to disk, the time machine utilizes a mechanism called "connection cutoff"
to
> reduce the the amount of data to process. This "connection cutoff" only
records
> the first X bytes of every monitored connection (identified via the
5-tupel of
> source and destination IP and Port and the transport protocol). Indeed
this
> approach it does not impair the analysis capabilities (unless the cutoff
is set to
> low) because most of the "interessting" data is located in the first few
packets
> of a connection. The effiency of this approach comes from leveraging the
> heavy-tailed nature of network traffic: because the bulk of the traffic in
high-
> volume streams comes from just a few connections."
> 
> Anyone using time machine and/or argus to do this and care to comment?
> 
> Cheers,
> Harry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6073 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130419/54f768ef/attachment.bin>

More information about the argus mailing list